CVE-2014-1693
published 2014-12-08CVE-2014-1693: Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF…
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
2.19%
80.2th percentile
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:16.b.3.1-dfsg-3 (bookworm) | erlang 1:16.b.3.1-dfsg-3 (bookworm) |
| erlang | erlang_otp | — | — |
| erlang | erlang_otp | >= 0 < 1:16.b.3.1-dfsg-3 | 1:16.b.3.1-dfsg-3 |
| erlang | erlang_otp | >= 0 < 1:16.b.3.1-dfsg-3 | 1:16.b.3.1-dfsg-3 |
| erlang | erlang_otp | >= 0 < 1:16.b.3.1-dfsg-3 | 1:16.b.3.1-dfsg-3 |
| erlang | erlang_otp | >= 0 < 1:16.b.3.1-dfsg-3 | 1:16.b.3.1-dfsg-3 |
| erlang | erlang_otp | >= 0 < 1:16.b.3-dfsg-1ubuntu2.2 | 1:16.b.3-dfsg-1ubuntu2.2 |
| erlang | erlang_otp | >= 0 < 1:18.3-dfsg-1ubuntu3.1 | 1:18.3-dfsg-1ubuntu3.1 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_ubuntu7.5HIGH
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q3fq-w858-v26f: Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via
ghsa_unreviewed·2022-05-14
CVE-2014-1693 [HIGH] GHSA-q3fq-w858-v26f: Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
OSV
erlang vulnerabilities
osv·2018-02-14·CVSS 7.5
CVE-2014-1693 [HIGH] erlang vulnerabilities
erlang vulnerabilities
It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)
It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)
It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10253)
Hanno Böck, Juraj Somorovsky and Crai
OSV
CVE-2014-1693: Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via
osv·2014-12-08·CVSS 7.5
CVE-2014-1693 [HIGH] CVE-2014-1693: Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
Ubuntu
Erlang vulnerabilities
vendor_ubuntu·2018-02-14·CVSS 7.5
CVE-2014-1693 [HIGH] Erlang vulnerabilities
Title: Erlang vulnerabilities
Summary: Several security issues were fixed in Erlang.
It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)
It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)
It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.
Red Hat
Mozilla: SVG filters information disclosure through feDisplacementMap (MFSA 2014-28)
vendor_redhat·2014-03-18·CVSS 4.3
CVE-2014-1505 [MEDIUM] Mozilla: SVG filters information disclosure through feDisplacementMap (MFSA 2014-28)
Mozilla: SVG filters information disclosure through feDisplacementMap (MFSA 2014-28)
The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive displacement-correlation information, and possibly bypass the Same Origin Policy and read text from a different domain, via a timing attack involving feDisplacementMap elements, a related issue to CVE-2013-1693.
Debian
CVE-2014-1693: erlang - Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 a...
vendor_debian·2014·CVSS 7.5
CVE-2014-1693 [HIGH] CVE-2014-1693: erlang - Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 a...
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
Scope: local
bookworm: resolved (fixed in 1:16.b.3.1-dfsg-3)
bullseye: resolved (fixed in 1:16.b.3.1-dfsg-3)
forky: resolved (fixed in 1:16.b.3.1-dfsg-3)
sid: resolved (fixed in 1:16.b.3.1-dfsg-3)
trixie: resolved (fixed in 1:16.b.3.1-dfsg-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-1693 erlang-inets: command injection flaw in FTP module
bugzilla·2014-01-29·CVSS 7.5
CVE-2014-1693 [HIGH] CVE-2014-1693 erlang-inets: command injection flaw in FTP module
CVE-2014-1693 erlang-inets: command injection flaw in FTP module
An FTP command injection flaw was found [1] in Erlang's FTP module. Several functions in the FTP module do not properly sanitize the input before passing it into a control socket. A local attacker can use this flaw to execute arbitrary FTP commands on a system that uses this module.
This issue has been reported upstream [2], but has not yet been fixed.
[1] http://seclists.org/oss-sec/2014/q1/163
[2] http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html
Discussion:
Created erlang tracking bugs for this issue:
Affects: fedora-all [bug 1059333]
Affects: epel-all [bug 1059335]
---
erlang-R16B-03.9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this
Bugzilla
CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [fedora-all]
bugzilla·2014-01-29·CVSS 7.5
CVE-2014-1693 [HIGH] CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [fedora-all]
CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this i
Bugzilla
CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [epel-all]
bugzilla·2014-01-29·CVSS 7.5
CVE-2014-1693 [HIGH] CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [epel-all]
CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: thi
http://advisories.mageia.org/MGASA-2014-0553.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-December/145017.htmlhttp://seclists.org/oss-sec/2014/q1/163http://www.mandriva.com/security/advisories?name=MDVSA-2015:174https://bugzilla.redhat.com/show_bug.cgi?id=1059331https://usn.ubuntu.com/3571-1/http://advisories.mageia.org/MGASA-2014-0553.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-December/145017.htmlhttp://seclists.org/oss-sec/2014/q1/163http://www.mandriva.com/security/advisories?name=MDVSA-2015:174https://bugzilla.redhat.com/show_bug.cgi?id=1059331https://usn.ubuntu.com/3571-1/
2014-12-08
Published